November 4, 2020

ISO 27001 and GDPR: Is it Enough for Website Compliance?

ISO 27001 and GDPR are fundamentally different frameworks, but they share a lot of common principles in relation to data protection.

ISO 27001 and GDPR are fundamentally different frameworks,  although they share a lot of common principles in relation to data protection. 

The difference between GDPR and the ISO 27001 standard is that an  ISO 27001 certification implies that your business has put mechanisms in place to safeguard sensitive data and information, as well as the relevant supporting assets.

On the other hand, the EU’s GDPR is a set of regulations and guidelines focused on overseeing how businesses collect, process, and share the personal information of EU citizens. 

The question most people ask is whether being ISO 27001 certified is equivalent to full GDPR compliance. 

To address this question, let us explore in detail; 

  • What is GDPR? 
  • What is ISO 27001?
  • What are the Key GDPR Requirements
  • What are the Main Data Protection Principles under ISO 27001
  • What are the Similarities between GDPR and ISO 27001?
  • How does ISO 27001 certification help in GDPR compliance? 

What is GDPR? 

The foundation of the General Data Protection Regulation is a set of new regulations developed to give EU citizens more control over their personal information. 

The GDPR, as the EU’s data privacy law is commonly called, seeks to streamline the regulatory framework for businesses such that residents and companies in the European Union can benefit from the fast-expanding digital economy. 

The introduction of the GDPR in May 2018 was informed by the need for data privacy regulations to keep up with the world we live in today.

For this reason, it introduced laws and provisions enforced across Europe to reflect the current age, which is characterized by high internet connectivity. 

The most common laws under the GDPR are connected to how businesses process personal data, how they obtain valid cookie consent from users, and protecting personal data from breaches. 

The introduction of the GDPR did not come as a surprise because every aspect of our lives today revolves around data. 

Whether it is a social media company, bank, retailer, or even the government, service delivery often involves the collection and processing of personal information. 

Essentially, your name, credit card number, email address, and other forms of personal data are collected, processed, stored, and in some cases, shared with third parties.  

Therefore, GDPR requirements oblige businesses to guarantee that personal information is collected legitimately and safeguarded from data breaches and misuse. 

Additionally, The EU’s data protection regulation requires businesses to respect the rights of data subjects. 

Read more about what GDPR is and how to become GDPR compliant.

What is ISO 27001? 

ISO 27001 is a comprehensive standard that focuses on three main risks to information security. They are; 

  • People 
  • Processes 
  • Technology 

Adopting this standard allows you to track and improve performance. Additionally, it allows you to regularly identify, minimize, and eliminate risks to the data your business handles. 

As your business grows, data management also gets increasingly complex. This is because the types of data you oversee expand, which makes it harder to track their movement and accessibility. 

In most cases, the recommended action is the adoption of an Information Security Management System (ISMS). 

However, imagine, you develop an internal ISMS. Typically, questions about its robustness as well as your staff’s understanding of best practices may arise. 

Some of the stakeholders that may need to know whether your ISMS is fit for managing data security risks including your users, strategic partners, and regulators. 

The ISO 27001 certification, which is a global standard for mandating specific requirements for an ISMS, gives you autonomously audited evidence that your business meets international-recognized best practice for data security management. 

What are the Key GDPR Compliance Requirements? 

Expanded Scope of Data that Needs Protection

The GDPR focuses on protecting a broader scope of data beyond personal information such as names, email addresses, and social security numbers. 

As such, it covers other types of information that can be used to identify a person such as medical and biometric data, political views, as well as religious or ethnic background data. 

Valid and Freely Given User Consent 

If you collect and process user information, the EU’s data privacy law requires you to obtain valid GDPR cookie consent. 

To comply with this obligation, you need to keep records of whether consent was given or not. Furthermore, the records should indicate that this consent was given in a clear and concise way. 

Broadened Data Subject Rights

GDPR introduced several regulations aimed at helping people get better control over their personal information.

Under this data protection regulation, EU residents have the right; 

To be informed of their data being collected, how it used, whether it will be shared by third parties and how it is maintained

  • Of access to the type of personal information that a company holds 
  • To Rectification of inaccurate or incomplete data that a business has collected about them
  • To erasure of their personal information by a company in defined circumstances
  • To restrict processing of their data by a business
  • To data portability 
  • To object the processing of their personal data
  • To challenge and review Automated decision making including profiling 

Heavy Fines for Non-Compliance 

The GDPR penalties can reach a maximum of EUR 20 million or 4 percent of the annual revenue (whichever is greatest) of the organization, depending on the facts and circumstances of non-compliance with GDPR requirements.

Furthermore, for the first time, class action litigation is also allowed, resulting in exposure to both regulatory enforcement and private litigation for a company’s failure to be compliant with GDPR.

Strict Data Breach Notification Requirements 

In case of a data breach, the GDPR mandates you to report to a relevant Data Protection Authority within 72 hours after it is first detected. 

If you fail to meet this requirement, you are required to offer valid reasons for the delay.

What are the Key Requirements of ISO 27001

 

Asset Management 

To achieve ISO 27001, you are required to satisfy and maintain necessary protection of your business assets. 

This means you are required to identify your asset and outline regulations for the acceptable use of data. 

Additionally, all the data must be categorized based on its value, legal obligations, sensitivity, and importance to your business. 

Operational Security

In this case, the ISO 27001 standard provides standard operational guidelines and responsibilities. 

Some of the controls are focused on; 

  • Separation of development 
  • Testing and operational setting
  • Change management 
  • Documenting operating processes

Access Control

Under this obligation, ISO 27001 establishes principles that you should adopt to govern the use of data within your business as well as preventing unauthorized access to operating systems, networked services, and information processing facilities among others. 

As such you are required to have regulations to oversee user access management, control of privileged access rights, user responsibilities, as well as system and application access control. 

Information Security Incident Management

ISO 27001 outlines the rules for reporting IT security events and weaknesses, dealing with IT security incidents, and improving these procedures. 

You are required to report security incidents in a way that makes it possible for a swift and effective response. 

Human Resource Security 

In this context, you are required to guarantee that staff and contractors are sensitized about and meet their information security obligations. 

You need to carry out awareness training and take official corrective measures against members of staff who commit an information security breach. 

Business Continuity

ISO 27001 establishes information security aspects of business continuity management. 

You need to determine the requirements for continuity of information security management during challenging times, document, and uphold security controls to ensure the needed degree of continuity. 

Furthermore, you are required to authenticate these controls regularly. 

What are the Similarities between ISO 27001 and GDPR? 

It goes without question that ISO 27001 and GDPR requirements intersect, especially in relation to their data protection requirements. The core similarities include; 

Data Protection by Design and Default

According to the GDPR, you need to adopt technical and organization strategies during the design phase of all projects to guarantee data privacy from the off.  Similarly, you are required to protect user data by default through ensuring that you only collect necessary information for each particular purpose of processing. 

In relation to ISO 27001, you need to satisfy identical requirements in that you are expected to understand the scope and context of information you collect and process. You are also required to carry out regular risk assessments to ascertain the robustness of your data safety measures

Risk Evaluation

Both ISO 27001 and GDPR require your to adopt a risk-based strategy when it comes to data protection. 

On the one hand, GDPR obliges you to carry out a Data Protection Impact Assessment (DPIA) to evaluate and identify security vulnerabilities that may affect your user’s data. It is important to note that under the EU’s data privacy regulation, it is mandatory before processing highly sensitive personal information. 

On the other hand, ISO 27001 also recommends that you carry out a thorough assessment to find the risks and weaknesses that may compromise your business assets. Additionally, you need to implement relevant information security strategies that are dependent on the findings of this risk evaluation. 

Data Privacy, Availability, and Transparency

According to the General Data Protection Regulation, you are required to ensure that the personal information you collect is secure from illegal processing, accidental loss, and damage. 

It further requires you to adopt, run,and maintain necessary technical and corporate strategies to guarantee data safety. Some of the prescribed measures include; 

  • Encryption
  • Implementing resilient data processing systems and services
  • Capacity to restore the availability of personal information in a timely way

Similarly, the controls outlined by the ISO 27001 standard are geared towards helping you achieve data privacy, availability, and integrity. 

For instance, ISO 27001 obliges you to identify internal and external issues that can compromise your security programs. Additionally, this standard recommends that you should identify your safety objectives and design a data security program that can help you realize them.

Lastly, ISO 27001 also sets the standard for the sustained maintenance of your data security program and requires you to document to demonstrate legal compliance. 

Breach Notifications

Under the GDPR, you need to inform a DPA within 72 hours after you first discover that the personal data you hold has been compromised. You must also inform the affected data subjects without delay.

The ISO 27001 standard has identical controls in that you need to notify a regulatory authority once a data breach has occurred. 

Although it does not specify the timeframe within which you need to alert authorities, it makes it clear that this notification should be made immediately and in a way that makes it possible for corrective action to be taken quickly. 

Managing Vendors 

If you outsource your data processing to contractors, ISO 27001 controls require you to monitor and evaluate their service delivery to ensure it meets data safety standards. 

Similarly, the GDPR makes it clear that you need to have agreements with your vendors with assurances of best practice in relation to GDPR data protection obligations. 

Maintaining Records 

For your business to be certified under ISO 27001, you must document your data safety procedures, the outcomes of your security risk assessments, and risk treatment. 

In identical fashion, the GDPR requires you to keep records of your data processing activities, inclusive of the categories of data, the purposes of processing, and a general description of the relevant technical and organizational security strategies. 

How does ISO 27001 Help with GDPR Compliance? 

  • The GDPR requires you to carry Data Protection Impact Assessments, where you need to first review the risks to your data privacy measures. Similarly, this is also required by ISO 27001. Therefore, implementing ISO 27001, enables you to satisfy the GDPR obligation of classifying personal data as highly critical.
  • When you implement ISO 27001 standards, it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements. If you are required to be compliant with GDPR, this regulation is also vital.
  • You are required to notify data authorities within 72 hours after you discover a breach of personal data. Implementing ISO 27001 ensures a consistent and effective approach to the management of information security incidents, including communication on security events. As such, adopting incident management in your business that facilitates detection and reporting of data breach incidents improves your company’s efforts to comply with GDPR.
  • The ISO 27001 mandates the consideration of personal data as information security assets, and requires you to understand what personal data you collect, where you store it, how long, its origin, and who has access, which are all requirements of the GDPR too.
  • The implementation of Privacy by Design, a GDPR requirement, becomes mandatory in the development of products and systems. ISO 27001 ensures that information security is an integral part of information systems across the entire lifecycle.

Is ISO 27001 Enough for GDPR Compliance?

While there are some areas covered under the GDPR that are not controlled under the ISO 27001 standard, it covers most of the requirements of EU’s data privacy law by the virtue of personal data being recognized as an information security asset under ISO 27001.

This means the standard and the new regulations share similar principles on data security.

However, ISO 27001 has a broader scope than GDPR because it applies to a company's critical data alongside personal information.

While you can use the ISO standard to protect personal information alongside other types of information within your business, there are certain provisions in the GDPR that do not fall under the scope of ISO 27001. The provisions include;

Consent; you are required to demonstrate that your data subjects have agreed to the processing of their personal data. Your request for consent must be given in an easily accessible form, with a clear purpose for collecting the data. Furthermore, you must allow data subjects their right to withdraw their consent at any time.

Data portability; You are required to uphold your visitors’ right to obtain and reuse their personal data for their own purposes across different services, as well as transmit that data to another controller without hindrance to usability 

The right to be forgotten; GDPR requires you to extend users the right to have their personal data erased or stop further dissemination of it without delay 

The right to restriction of processing; You must allow users their right to limit the way you use their personal information if their data has been unlawfully processed or the individual challenges the accuracy of the data.

Right to object; Guarantee your data subjects the right to object to data processing for direct marketing, the performance of legal tasks, or research purposes and statistics.

International transfers of personal data; your company must ensure that international data transfers are carried out in accordance with rules approved by the European Commission.

In a nutshell, since ISO 27001 doesn't specifically include these rights, being certified to it doesn't necessarily mean that you're also GDPR-compliant.

However, It will certainly support you in your GDPR compliance goals and bring you closer to reaching them.

Get your additional queries or concerns about ISO 27001 and GDPR answered with a GDPR expert by booking a call with us today.